Skip to Content

How to stop logon token re-usability in SAP Business Intelligence 4.2

Hi,

I am calling the open document URL from a JAVA portal web application.

For SSO, I am generating a token and passing as a parameter along with the open document URL.

The issue is the token which I generated can be used multiple times and initializing multiple sessions.

This seems a vulnerability since the token can be captured along with URL and reused.

I would like to know is there a way to restrict the token to be used only once to create a session on the BO server?

I have gone through lot of forums and open document developer guide and BO admin guide and applied timeout setting on the JAVA code used for calling restful api also configured enterprise token timeout setting in WACS . But the time can be controlled still re-usability exists.

I need the server in the way that only there should be authentication between the Portal application and BO server. Also if the token is captured that could not be used for second time.

Can some one suggest a way to handle this?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Jan 30 at 03:27 PM

    Yes, it is possible with a token generated through the Java SDK with a call to:

    IEnterpriseSession.getLogonTokenMgr().createLogonToken(java.lang.String clientComputerName, int validMinutes, int validNumOfLogons)

    I usually pass an empty string as the clientComputerName parameter. You would set the validMinutes and validNumOfLogons appropriate to your application. You need to make sure that the validMinutes parameter is long enough that the user can do what they need to with the report.

    -Dell

    Add comment
    10|10000 characters needed characters exceeded

    • Are you trying this on the same computer and browser session? Before or after you close the original OpenDocument call? If you're not using a different browser or computer, you will see this behavior because the session stays in memory and gets re-used from there.

      -Dell

  • Jan 30 at 03:31 PM

    Hi Naveen,

    If you are creating your logon token using enterpriseSesion.CreateWCAToken() then this token can be shared without increasing the license count and it is invalidated after logoff is called or it times out.

    What you are most likely looking for is enterpriseSession.CreateLogonToken("", numMin,numUses) where you can specify the number of times that the token can be reused as well as the number of minutes that it can be use for.

    This token will consume a license when used so you would want to log off your existing session in your portal application before re-directing to openDocument.

    Dan

    Add comment
    10|10000 characters needed characters exceeded